You are viewing a plain text version of this content. The canonical link for it is here.
Posted to oak-commits@jackrabbit.apache.org by an...@apache.org on 2013/04/30 16:39:07 UTC
svn commit: r1477665 - in /jackrabbit/oak/trunk/oak-core/src:
main/java/org/apache/jackrabbit/oak/security/authorization/
main/java/org/apache/jackrabbit/oak/security/authorization/permission/
test/java/org/apache/jackrabbit/oak/security/authorization/...
Author: angela
Date: Tue Apr 30 14:39:07 2013
New Revision: 1477665
URL: http://svn.apache.org/r1477665
Log:
OAK-787 : Accessibility of NodeTypes, Namespaces and Privileges
Added:
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/ReadPolicyTest.java
Modified:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlConstants.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImpl.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissionImpl.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionProviderImpl.java
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImplTest.java
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissionImplTest.java
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlConstants.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlConstants.java?rev=1477665&r1=1477664&r2=1477665&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlConstants.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlConstants.java Tue Apr 30 14:39:07 2013
@@ -17,8 +17,12 @@
package org.apache.jackrabbit.oak.security.authorization;
import java.util.Collection;
+import java.util.Set;
import com.google.common.collect.ImmutableSet;
+import org.apache.jackrabbit.oak.plugins.name.NamespaceConstants;
+import org.apache.jackrabbit.oak.plugins.nodetype.NodeTypeConstants;
+import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConstants;
/**
* Constants for this access control management implementation.
@@ -66,4 +70,18 @@ public interface AccessControlConstants
* @since OAK 1.0
*/
String PARAM_PERMISSIONS_JR2 = "permissionsJr2";
+
+ /**
+ * Configuration parameter to enable full read access to regular nodes and
+ * properties at the specified paths.
+ */
+ String PARAM_READ_PATHS = "readPaths";
+
+ /**
+ * Default value for the {@link #PARAM_READ_PATHS} configuration parameter.
+ */
+ Set<String> DEFAULT_READ_PATHS = ImmutableSet.of(
+ NamespaceConstants.NAMESPACES_PATH,
+ NodeTypeConstants.NODE_TYPES_PATH,
+ PrivilegeConstants.PRIVILEGES_PATH);
}
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImpl.java?rev=1477665&r1=1477664&r2=1477665&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImpl.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImpl.java Tue Apr 30 14:39:07 2013
@@ -39,6 +39,7 @@ import javax.jcr.security.AccessControlE
import javax.jcr.security.AccessControlException;
import javax.jcr.security.AccessControlPolicy;
import javax.jcr.security.AccessControlPolicyIterator;
+import javax.jcr.security.NamedAccessControlPolicy;
import javax.jcr.security.Privilege;
import com.google.common.base.Objects;
@@ -104,6 +105,8 @@ public class AccessControlManagerImpl im
private final RestrictionProvider restrictionProvider;
private final ReadOnlyNodeTypeManager ntMgr;
+ private final Set<String> readPaths;
+
private PermissionProvider permissionProvider;
public AccessControlManagerImpl(@Nonnull Root root, @Nonnull NamePathMapper namePathMapper,
@@ -117,6 +120,8 @@ public class AccessControlManagerImpl im
acConfig = securityProvider.getAccessControlConfiguration();
restrictionProvider = acConfig.getRestrictionProvider(namePathMapper);
ntMgr = ReadOnlyNodeTypeManager.getInstance(root, namePathMapper);
+
+ readPaths = acConfig.getConfigurationParameters().getConfigValue(PARAM_READ_PATHS, DEFAULT_READ_PATHS);
}
//-----------------------------------------------< AccessControlManager >---
@@ -150,11 +155,15 @@ public class AccessControlManagerImpl im
String oakPath = getOakPath(absPath);
Tree tree = getTree(oakPath, Permissions.READ_ACCESS_CONTROL);
AccessControlPolicy policy = createACL(oakPath, tree, false);
+
+ List<AccessControlPolicy> policies = new ArrayList<AccessControlPolicy>(2);
if (policy != null) {
- return new AccessControlPolicy[]{policy};
- } else {
- return new AccessControlPolicy[0];
+ policies.add(policy);
}
+ if (readPaths.contains(oakPath)) {
+ policies.add(ReadPolicy.INSTANCE);
+ }
+ return policies.toArray(new AccessControlPolicy[policies.size()]);
}
@Nonnull
@@ -162,6 +171,7 @@ public class AccessControlManagerImpl im
public AccessControlPolicy[] getEffectivePolicies(@Nullable String absPath) throws RepositoryException {
String oakPath = getOakPath(absPath);
Tree tree = getTree(oakPath, Permissions.READ_ACCESS_CONTROL);
+
List<AccessControlPolicy> effective = new ArrayList<AccessControlPolicy>();
AccessControlPolicy policy = createACL(oakPath, tree, true);
if (policy != null) {
@@ -178,6 +188,9 @@ public class AccessControlManagerImpl im
parentPath = (PathUtils.denotesRoot(parentPath)) ? "" : Text.getRelativeParent(parentPath, 1);
}
}
+ if (readPaths.contains(oakPath)) {
+ effective.add(ReadPolicy.INSTANCE);
+ }
return effective.toArray(new AccessControlPolicy[effective.size()]);
}
@@ -852,4 +865,16 @@ public class AccessControlManagerImpl im
return 0;
}
}
+
+ private static class ReadPolicy implements NamedAccessControlPolicy {
+
+ private static final NamedAccessControlPolicy INSTANCE = new ReadPolicy();
+
+ private ReadPolicy() {}
+
+ @Override
+ public String getName() throws RepositoryException {
+ return "Grants read access on configured trees (default: node types, namespaces and privileges).";
+ }
+ }
}
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissionImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissionImpl.java?rev=1477665&r1=1477664&r2=1477665&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissionImpl.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissionImpl.java Tue Apr 30 14:39:07 2013
@@ -46,6 +46,7 @@ import org.apache.jackrabbit.oak.spi.sec
import org.apache.jackrabbit.oak.spi.security.authorization.permission.ReadStatus;
import org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionPattern;
import org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionProvider;
+import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConstants;
import org.apache.jackrabbit.oak.util.TreeUtil;
import org.apache.jackrabbit.util.Text;
@@ -61,6 +62,9 @@ class CompiledPermissionImpl implements
private final RestrictionProvider restrictionProvider;
private final Map<String, ImmutableTree> trees;
+ // TODO: merge readPaths with readStatus structure
+ private final Set<String> readPaths;
+
private PrivilegeBitsProvider bitsProvider;
private Map<Key, PermissionEntry> repoEntries;
private Map<Key, PermissionEntry> userEntries;
@@ -69,11 +73,13 @@ class CompiledPermissionImpl implements
CompiledPermissionImpl(@Nonnull Set<Principal> principals,
@Nonnull ImmutableTree permissionsTree,
@Nonnull PrivilegeBitsProvider bitsProvider,
- @Nonnull RestrictionProvider restrictionProvider) {
+ @Nonnull RestrictionProvider restrictionProvider,
+ @Nonnull Set<String> readPaths) {
checkArgument(!principals.isEmpty());
this.principals = principals;
this.restrictionProvider = restrictionProvider;
this.bitsProvider = bitsProvider;
+ this.readPaths = readPaths;
this.trees = new HashMap<String, ImmutableTree>(principals.size());
buildEntries(permissionsTree);
}
@@ -111,6 +117,10 @@ class CompiledPermissionImpl implements
//------------------------------------------------< CompiledPermissions >---
@Override
public ReadStatus getReadStatus(@Nonnull Tree tree, @Nullable PropertyState property) {
+ // TODO merge with readstatus
+ if (isReadablePath(tree, null)) {
+ return ReadStatus.ALLOW_ALL_REGULAR;
+ }
long permission = (property == null) ? Permissions.READ_NODE : Permissions.READ_PROPERTY;
Iterator<PermissionEntry> it = getEntryIterator(tree, property);
while (it.hasNext()) {
@@ -182,7 +192,9 @@ class CompiledPermissionImpl implements
private boolean hasPermissions(@Nonnull Iterator<PermissionEntry> entries,
long permissions, @Nullable Tree tree, @Nullable String path) {
- if (!entries.hasNext()) {
+ // calculate readable paths if the given permissions includes any read permission.
+ boolean isReadable = Permissions.diff(Permissions.READ, permissions) != Permissions.READ && isReadablePath(tree, path);
+ if (!entries.hasNext() && !isReadable) {
return false;
}
@@ -191,10 +203,13 @@ class CompiledPermissionImpl implements
Permissions.includes(permissions, Permissions.REMOVE_NODE) ||
Permissions.includes(permissions, Permissions.MODIFY_CHILD_NODE_COLLECTION));
- long allows = Permissions.NO_PERMISSION;
+ long allows = (isReadable) ? Permissions.READ : Permissions.NO_PERMISSION;
long denies = Permissions.NO_PERMISSION;
PrivilegeBits allowBits = PrivilegeBits.getInstance();
+ if (isReadable) {
+ allowBits.add(bitsProvider.getBits(PrivilegeConstants.JCR_READ));
+ }
PrivilegeBits denyBits = PrivilegeBits.getInstance();
PrivilegeBits parentAllowBits;
PrivilegeBits parentDenyBits;
@@ -243,7 +258,8 @@ class CompiledPermissionImpl implements
}
}
}
- return false;
+
+ return (allows | ~permissions) == -1;
}
private PrivilegeBits getPrivilegeBits(@Nullable Tree tree) {
@@ -262,6 +278,11 @@ class CompiledPermissionImpl implements
denyBits.addDifference(entry.privilegeBits, allowBits);
}
}
+
+ // special handling for paths that are always readable
+ if (isReadablePath(tree, null)) {
+ allowBits.add(bitsProvider.getBits(PrivilegeConstants.JCR_READ));
+ }
return allowBits;
}
@@ -273,6 +294,20 @@ class CompiledPermissionImpl implements
return Iterators.concat(new EntryIterator(userEntries, path), new EntryIterator(groupEntries, path));
}
+ private boolean isReadablePath(@Nullable Tree tree, @Nullable String treePath) {
+ if (!readPaths.isEmpty()) {
+ String targetPath = (tree != null) ? tree.getPath() : treePath;
+ if (targetPath != null) {
+ for (String path : readPaths) {
+ if (Text.isDescendantOrEqual(path, targetPath)) {
+ return true;
+ }
+ }
+ }
+ }
+ return false;
+ }
+
private static final class Key implements Comparable<Key> {
private final String path;
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionProviderImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionProviderImpl.java?rev=1477665&r1=1477664&r2=1477665&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionProviderImpl.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionProviderImpl.java Tue Apr 30 14:39:07 2013
@@ -81,7 +81,10 @@ public class PermissionProviderImpl impl
if (permissionsTree == null || principals.isEmpty()) {
compiledPermissions = NoPermissions.getInstance();
} else {
- compiledPermissions = new CompiledPermissionImpl(principals, permissionsTree, getBitsProvider(), acConfig.getRestrictionProvider(NamePathMapper.DEFAULT));
+ compiledPermissions = new CompiledPermissionImpl(principals,
+ permissionsTree, getBitsProvider(),
+ acConfig.getRestrictionProvider(NamePathMapper.DEFAULT),
+ acConfig.getConfigurationParameters().getConfigValue(AccessControlConstants.PARAM_READ_PATHS, AccessControlConstants.DEFAULT_READ_PATHS));
}
}
}
Modified: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImplTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImplTest.java?rev=1477665&r1=1477664&r2=1477665&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImplTest.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImplTest.java Tue Apr 30 14:39:07 2013
@@ -70,7 +70,6 @@ import org.apache.jackrabbit.oak.util.No
import org.apache.jackrabbit.oak.util.TreeUtil;
import org.junit.After;
import org.junit.Before;
-import org.junit.Ignore;
import org.junit.Test;
import static org.junit.Assert.assertArrayEquals;
@@ -646,7 +645,6 @@ public class AccessControlManagerImplTes
}
- @Ignore("OAK-787") // FIXME
@Test
public void testTestSessionGetPrivileges() throws Exception {
setupPolicy(testPath);
Added: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/ReadPolicyTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/ReadPolicyTest.java?rev=1477665&view=auto
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/ReadPolicyTest.java (added)
+++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/ReadPolicyTest.java Tue Apr 30 14:39:07 2013
@@ -0,0 +1,76 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.oak.security.authorization;
+
+import java.util.Set;
+import javax.jcr.security.AccessControlPolicy;
+
+import org.apache.jackrabbit.oak.spi.security.ConfigurationParameters;
+import org.apache.jackrabbit.oak.spi.security.authorization.AbstractAccessControlTest;
+import org.junit.Before;
+import org.junit.Test;
+
+import static org.junit.Assert.assertTrue;
+
+/**
+ * Tests for the special {@code ReadPolicy} exposed at specified paths.
+ */
+public class ReadPolicyTest extends AbstractAccessControlTest {
+
+ private Set<String> readPaths;
+
+ @Override
+ @Before
+ public void before() throws Exception {
+ super.before();
+
+ ConfigurationParameters options = getSecurityProvider().getAccessControlConfiguration().getConfigurationParameters();
+ readPaths = options.getConfigValue(AccessControlConstants.PARAM_READ_PATHS, AccessControlConstants.DEFAULT_READ_PATHS);
+ }
+
+ @Test
+ public void testGetPolicies() throws Exception {
+ for (String path : readPaths) {
+ AccessControlPolicy[] policies = getAccessControlManager(root).getPolicies(path);
+ assertTrue(policies.length > 0);
+ boolean found = false;
+ for (AccessControlPolicy policy : policies) {
+ if ("org.apache.jackrabbit.oak.security.authorization.AccessControlManagerImpl$ReadPolicy".equals(policy.getClass().getName())) {
+ found = true;
+ break;
+ }
+ }
+ assertTrue(found);
+ }
+ }
+
+ @Test
+ public void testGetEffectivePolicies() throws Exception {
+ for (String path : readPaths) {
+ AccessControlPolicy[] policies = getAccessControlManager(root).getPolicies(path);
+ assertTrue(policies.length > 0);
+ boolean found = false;
+ for (AccessControlPolicy policy : policies) {
+ if ("org.apache.jackrabbit.oak.security.authorization.AccessControlManagerImpl$ReadPolicy".equals(policy.getClass().getName())) {
+ found = true;
+ break;
+ }
+ }
+ assertTrue(found);
+ }
+ }
+}
\ No newline at end of file
Modified: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissionImplTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissionImplTest.java?rev=1477665&r1=1477664&r2=1477665&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissionImplTest.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissionImplTest.java Tue Apr 30 14:39:07 2013
@@ -18,6 +18,7 @@ package org.apache.jackrabbit.oak.securi
import java.security.Principal;
import java.security.acl.Group;
+import java.util.ArrayList;
import java.util.Collections;
import java.util.Enumeration;
import java.util.List;
@@ -27,6 +28,7 @@ import javax.annotation.Nonnull;
import com.google.common.base.Objects;
import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableSet;
+import org.apache.jackrabbit.JcrConstants;
import org.apache.jackrabbit.oak.AbstractSecurityTest;
import org.apache.jackrabbit.oak.api.CommitFailedException;
import org.apache.jackrabbit.oak.api.Tree;
@@ -35,12 +37,14 @@ import org.apache.jackrabbit.oak.core.Im
import org.apache.jackrabbit.oak.core.TreeTypeProvider;
import org.apache.jackrabbit.oak.namepath.NamePathMapper;
import org.apache.jackrabbit.oak.security.SecurityProviderImpl;
+import org.apache.jackrabbit.oak.security.authorization.AccessControlConstants;
import org.apache.jackrabbit.oak.security.authorization.restriction.RestrictionProviderImpl;
import org.apache.jackrabbit.oak.security.privilege.PrivilegeBits;
import org.apache.jackrabbit.oak.security.privilege.PrivilegeBitsProvider;
import org.apache.jackrabbit.oak.spi.security.SecurityProvider;
import org.apache.jackrabbit.oak.spi.security.authorization.AccessControlConfiguration;
import org.apache.jackrabbit.oak.spi.security.authorization.OpenAccessControlConfiguration;
+import org.apache.jackrabbit.oak.spi.security.authorization.permission.Permissions;
import org.apache.jackrabbit.oak.spi.security.authorization.permission.ReadStatus;
import org.apache.jackrabbit.oak.spi.security.authorization.restriction.Restriction;
import org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionProvider;
@@ -55,14 +59,15 @@ import org.junit.Test;
import static org.apache.jackrabbit.JcrConstants.JCR_PRIMARYTYPE;
import static org.apache.jackrabbit.JcrConstants.NT_UNSTRUCTURED;
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
import static org.junit.Assert.assertSame;
+import static org.junit.Assert.assertTrue;
/**
* CompiledPermissionImplTest... TODO
*/
-@Ignore("work in progress")
-public class CompiledPermissionImplTest extends AbstractSecurityTest
- implements PermissionConstants, PrivilegeConstants {
+public class CompiledPermissionImplTest extends AbstractSecurityTest implements PermissionConstants, PrivilegeConstants {
private Principal userPrincipal;
private Principal group1;
@@ -129,6 +134,7 @@ public class CompiledPermissionImplTest
};
}
+ @Ignore("OAK-774")
@Test
public void testGetReadStatus() throws Exception {
allow(userPrincipal, "/", 0, JCR_READ);
@@ -137,6 +143,7 @@ public class CompiledPermissionImplTest
assertReadStatus(ReadStatus.ALLOW_ALL_REGULAR, cp, allPaths);
}
+ @Ignore("OAK-774")
@Test
public void testGetReadStatus1() throws Exception {
allow(group1, node2Path, 0, JCR_READ);
@@ -147,6 +154,7 @@ public class CompiledPermissionImplTest
assertReadStatus(ReadStatus.ALLOW_ALL_REGULAR, cp, node2Path);
}
+ @Ignore("OAK-774")
@Test
public void testGetReadStatus2() throws Exception {
allow(userPrincipal, "/", 0, JCR_READ);
@@ -156,6 +164,7 @@ public class CompiledPermissionImplTest
assertReadStatus(ReadStatus.ALLOW_ALL_REGULAR, cp, allPaths);
}
+ @Ignore("OAK-774")
@Test
public void testGetReadStatus3() throws Exception {
allow(group1, "/", 0, JCR_READ);
@@ -165,6 +174,7 @@ public class CompiledPermissionImplTest
assertReadStatus(ReadStatus.DENY_ALL_REGULAR, cp, allPaths);
}
+ @Ignore("OAK-774")
@Test
public void testGetReadStatus4() throws Exception {
allow(group1, "/", 0, JCR_READ);
@@ -174,6 +184,7 @@ public class CompiledPermissionImplTest
assertReadStatus(ReadStatus.ALLOW_ALL_REGULAR, cp, allPaths);
}
+ @Ignore("OAK-774")
@Test
public void testGetReadStatus5() throws Exception {
allow(userPrincipal, "/", 0, JCR_READ);
@@ -183,6 +194,7 @@ public class CompiledPermissionImplTest
assertReadStatus(ReadStatus.ALLOW_ALL_REGULAR, cp, allPaths);
}
+ @Ignore("OAK-774")
@Test
public void testGetReadStatus6() throws Exception {
allow(group2, "/", 0, JCR_READ);
@@ -194,6 +206,7 @@ public class CompiledPermissionImplTest
assertReadStatus(ReadStatus.DENY_ALL_REGULAR, cp, nodePaths);
}
+ @Ignore("OAK-774")
@Test
public void testGetReadStatus7() throws Exception {
allow(group2, "/", 0, REP_READ_PROPERTIES);
@@ -205,6 +218,7 @@ public class CompiledPermissionImplTest
assertReadStatus(ReadStatus.ALLOW_ALL_REGULAR, cp, nodePaths);
}
+ @Ignore("OAK-774")
@Test
public void testGetReadStatus8() throws Exception {
allow(userPrincipal, "/", 0, REP_READ_PROPERTIES);
@@ -216,6 +230,7 @@ public class CompiledPermissionImplTest
assertReadStatus(ReadStatus.ALLOW_ALL_REGULAR, cp, nodePaths);
}
+ @Ignore("OAK-774")
@Test
public void testGetReadStatus9() throws Exception {
allow(group2, "/", 0, REP_READ_PROPERTIES);
@@ -227,6 +242,7 @@ public class CompiledPermissionImplTest
assertReadStatus(ReadStatus.ALLOW_ALL_REGULAR, cp, nodePaths);
}
+ @Ignore("OAK-774")
@Test
public void testGetReadStatus10() throws Exception {
deny(group2, "/", 0, JCR_READ);
@@ -238,6 +254,7 @@ public class CompiledPermissionImplTest
assertReadStatus(ReadStatus.ALLOW_NODES, cp, nodePaths);
}
+ @Ignore("OAK-774")
@Test
public void testGetReadStatus11() throws Exception {
deny(group2, "/", 0, JCR_READ);
@@ -251,6 +268,7 @@ public class CompiledPermissionImplTest
assertReadStatus(ReadStatus.ALLOW_NODES, cp, node2Path);
}
+ @Ignore("OAK-774")
@Test
public void testGetReadStatus12() throws Exception {
allow(group1, "/", 0, JCR_READ);
@@ -263,6 +281,7 @@ public class CompiledPermissionImplTest
assertReadStatus(ReadStatus.ALLOW_NODES, cp, nodePaths);
}
+ @Ignore("OAK-774")
@Test
public void testGetReadStatus13() throws Exception {
allow(group1, "/", 0, JCR_READ);
@@ -276,6 +295,7 @@ public class CompiledPermissionImplTest
assertReadStatus(ReadStatus.ALLOW_ALL_REGULAR, cp, nodePaths);
}
+ @Ignore("OAK-774")
@Test
public void testGetReadStatus14() throws Exception {
allow(group1, "/", 0, REP_READ_NODES);
@@ -289,6 +309,7 @@ public class CompiledPermissionImplTest
assertReadStatus(ReadStatus.ALLOW_ALL_REGULAR, cp, nodePaths);
}
+ @Ignore("OAK-774")
@Test
public void testGetReadStatus15() throws Exception {
allow(group1, "/", 0, REP_READ_NODES);
@@ -303,6 +324,7 @@ public class CompiledPermissionImplTest
assertReadStatus(ReadStatus.ALLOW_PROPERTIES, cp, node2Path);
}
+ @Ignore("OAK-774")
@Test
public void testGetReadStatus16() throws Exception {
allow(group1, "/", 0, JCR_READ, JCR_READ_ACCESS_CONTROL);
@@ -311,6 +333,7 @@ public class CompiledPermissionImplTest
assertReadStatus(ReadStatus.ALLOW_ALL, cp, allPaths);
}
+ @Ignore("OAK-774")
@Test
public void testGetReadStatus17() throws Exception {
allow(group1, node1Path, 0, JCR_READ, JCR_READ_ACCESS_CONTROL);
@@ -321,6 +344,7 @@ public class CompiledPermissionImplTest
assertReadStatus(ReadStatus.ALLOW_NODES, cp, node2Path);
}
+ @Ignore("OAK-774")
@Test
public void testGetReadStatus18() throws Exception {
allow(group1, node1Path, 0, JCR_READ);
@@ -331,6 +355,61 @@ public class CompiledPermissionImplTest
assertReadStatus(ReadStatus.ALLOW_ALL, cp, node2Path);
}
+ @Test
+ public void testGetReadStatusForReadPaths() throws Exception {
+ CompiledPermissionImpl cp = createPermissions(Collections.singleton(userPrincipal));
+ assertReadStatus(ReadStatus.ALLOW_ALL_REGULAR, ReadStatus.ALLOW_ALL_REGULAR, cp, new ArrayList<String>(AccessControlConstants.DEFAULT_READ_PATHS));
+ }
+
+ @Test
+ public void testIsGrantedForReadPaths() throws Exception {
+ CompiledPermissionImpl cp = createPermissions(Collections.singleton(userPrincipal));
+ for (String path : AccessControlConstants.DEFAULT_READ_PATHS) {
+ assertTrue(cp.isGranted(path, Permissions.READ));
+ assertTrue(cp.isGranted(path, Permissions.READ_NODE));
+ assertTrue(cp.isGranted(path + '/' + JcrConstants.JCR_PRIMARYTYPE, Permissions.READ_PROPERTY));
+ assertFalse(cp.isGranted(path, Permissions.READ_ACCESS_CONTROL));
+ }
+
+ for (String path : AccessControlConstants.DEFAULT_READ_PATHS) {
+ Tree tree = root.getTree(path);
+ assertTrue(cp.isGranted(tree, null, Permissions.READ));
+ assertTrue(cp.isGranted(tree, null, Permissions.READ_NODE));
+ assertTrue(cp.isGranted(tree, tree.getProperty(JcrConstants.JCR_PRIMARYTYPE), Permissions.READ_PROPERTY));
+ assertFalse(cp.isGranted(tree, null, Permissions.READ_ACCESS_CONTROL));
+ }
+
+ assertFalse(cp.isGranted(Permissions.READ));
+ assertFalse(cp.isGranted(Permissions.READ_NODE));
+ assertFalse(cp.isGranted(Permissions.READ_PROPERTY));
+ assertFalse(cp.isGranted(Permissions.READ_ACCESS_CONTROL));
+ }
+
+ @Test
+ public void testGetPrivilegesForReadPaths() throws Exception {
+ CompiledPermissionImpl cp = createPermissions(Collections.singleton(userPrincipal));
+ for (String path : AccessControlConstants.DEFAULT_READ_PATHS) {
+ Tree tree = root.getTree(path);
+ assertEquals(Collections.singleton(PrivilegeConstants.JCR_READ), cp.getPrivileges(tree));
+ }
+
+ assertEquals(Collections.<String>emptySet(), cp.getPrivileges(null));
+ }
+
+ @Test
+ public void testHasPrivilegesForReadPaths() throws Exception {
+ CompiledPermissionImpl cp = createPermissions(Collections.singleton(userPrincipal));
+ for (String path : AccessControlConstants.DEFAULT_READ_PATHS) {
+ Tree tree = root.getTree(path);
+ assertTrue(cp.hasPrivileges(tree, PrivilegeConstants.JCR_READ));
+ assertTrue(cp.hasPrivileges(tree, PrivilegeConstants.REP_READ_NODES));
+ assertTrue(cp.hasPrivileges(tree, PrivilegeConstants.REP_READ_PROPERTIES));
+ assertFalse(cp.hasPrivileges(tree, PrivilegeConstants.JCR_READ_ACCESS_CONTROL));
+ }
+
+ assertFalse(cp.hasPrivileges(null, PrivilegeConstants.JCR_READ));
+ }
+
// TODO: tests with restrictions
// TODO: complex tests with entries for paths outside of the tested hierarchy
// TODO: tests for isGranted
@@ -339,7 +418,7 @@ public class CompiledPermissionImplTest
private CompiledPermissionImpl createPermissions(Set<Principal> principals) {
ImmutableTree permissionsTree = new ImmutableRoot(root, TreeTypeProvider.EMPTY).getTreeOrNull(PERMISSIONS_STORE_PATH);
- return new CompiledPermissionImpl(principals, permissionsTree, pbp, rp);
+ return new CompiledPermissionImpl(principals, permissionsTree, pbp, rp, AccessControlConstants.DEFAULT_READ_PATHS);
}
private void allow(Principal principal, String path, int index, String... privilegeNames) throws CommitFailedException {